[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended)
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended)
- From: 490h3fqwomf via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Fri, 05 Jun 2026 09:21:12 +0000
Hello Full Disclosure,
The following publicly available research describes a Bluetooth attack against
Samsung Galaxy Buds that leverages connection arbitration behavior between HFP
and A2DP profiles to preempt an active audio session.
Title:
Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption
Exploiting Seamless Earbud Connection Arbitration to Bypass Pairing Trust
Boundaries
According to the published research, an attacker within Bluetooth range can
force a transition of the active audio session to an attacker-controlled device
without requiring user interaction or. The writeup argues that this behavior
crosses expected trust boundaries associated with paired devices and may allow
unauthorized audio routing or session takeover under certain conditions.
The author states that the issue was reported to Samsung and that Samsung
ultimately classified the observed behavior as "working as intended."
Original publication:
Gist:
https://gist.github.com/mroldguy/98c77d25a3e01d6d966523dac353af86
Original:
https://paste.rs/UkBmF.md
Archived copy:
https://archive.is/6KXIp
Summary of the claims made in the publication:
- Affects Samsung Galaxy Buds devices.
- Relies on Bluetooth Classic profile behavior involving HFP and A2DP
connection management.
- Described as a zero-click attack requiring no user approval during takeover.
- Does not require compromise of the target phone.
- Reportedly allows an attacker within radio range to preempt an active
session and become the active audio endpoint.
- Vendor response is reported as "working as intended."
Interested readers should consult the original publication for technical
details, proof-of-concept material, disclosure timeline, testing methodology,
and limitations.
I am not the author of this research. This message is a reference to an
already-public disclosure and is being forwarded for awareness and archival
purposes.
Regards,
Anonymous (490h3fqwomf[)](mailto:490h3fqwomf@xxxxxxxxx)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/